Transcript
8/7/2019 Windows Security Architecture
1/28
Windows Security Architecture
Presented by:
Mousumi Ray (9030241120)Reshma Wawhal (9030241129)Samreen Ansari (9030241131)Shubhangini (9030241133)
8/7/2019 Windows Security Architecture
2/28
Pre-Logon Security: ComputerAccounts
2
8/7/2019 Windows Security Architecture
3/28
Pre-Logon Security: ComputerAccounts
3
8/7/2019 Windows Security Architecture
4/28
The second line of defense, after computeraccounts, against both intentional and
unintentional harm Default behavior is to require a user name
and password before you can log on Windows 2000/2003/XP can use various
technologies to authenticate a network userslogon request: Kerberos, Certificates and Smart cards
Logon Security: Getting in the door
4
8/7/2019 Windows Security Architecture
5/28
User Name
Passwords and Passwords Policies
Ctrl+Alt+Delx %windir%\system32\rundll32.exe
user32.dll,LockWorkStation
RunAs service lets you run any program under
any security contextx The major benefit is that even network
administrators and IT support personnel neednot perform routine daily work with theiradministrative account
Logon Security: Getting in the door
5
8/7/2019 Windows Security Architecture
6/28
Account Lockout
The policies, which can be viewed in the
Domain Security Policy consolex Account lockout duration
x Account lockout threshold
x Reset account lockout counter
Remote Access Security I: RRAS, IAS, and AD Authentication Protocols
AD Authentication
RRAS and IAS
Logon Security: Getting in the door
6
8/7/2019 Windows Security Architecture
7/28
Remote Access Security II: Securing SystemSoftware
Windows Update Software Update Server
Proxy Servers and Firewalls
Antivirus Software
Logon Security: Getting in the door
7
8/7/2019 Windows Security Architecture
8/28
User and Group Rights
Rights are
privileges.
Groups :collection of
useraccounts.
8
8/7/2019 Windows Security Architecture
9/28
User and Group Rights
9
8/7/2019 Windows Security Architecture
10/28
User and Group Accounts Built-In Local User and Group Accounts
Local User Accountsx Administrator
x System management & configuration tasksx Rename & dont delete
x Guestx Limited accessx Disable by defaultx Rename.
Local Group Accountsx Administratorsx Backup Operatorsx Guests:x Usersx Power Usersx
Replicators
10
8/7/2019 Windows Security Architecture
11/28
User and Group Accounts
System Groups Everyone AuthenticatedUsers Terminal Server Users Creator/Owner Network
Anonymous Logon Dialup Interactive
11
8/7/2019 Windows Security Architecture
12/28
User and Group Accounts
Built-InDomain User and Group Accounts
Domain
User Accounts
Domain Admin
External User
Guest
TsInternetUser (used byTerminal Services only)
Domain User Accounts
12
8/7/2019 Windows Security Architecture
13/28
Object Permissions
Share permissions
read, change, and full control File and folder (NTFS) permissions
read, read+execute, write, modify, list foldercontents (for folders only), and full control
Registry permissions Printer permissions
13
8/7/2019 Windows Security Architecture
14/28
Security for stored data
Digital Signatures and Driver Signing
Windows File Protection
Encrypting File System (EFS)
14
8/7/2019 Windows Security Architecture
15/28
Digital Signatures and Driver
Signing Microsoft brands a digital signature
Into core operating system files Drivers that it ships with Windows Into files Drivers released subsequently
Computer Configuration\Windows
Settings\Security Settings\LocalPolicies\Security Options.
The three behaviours Ignore, Warn, Failwhichactivate upon an attempt to install a new driver.
15
8/7/2019 Windows Security Architecture
16/28
Windows File Protection
The Guardian Angel
The Windows 2000/2003/XP approach is to run a file system guardian angelin the background.
Guardian angel watching over system files that live in the system root folder andhave the extensions DLL, EXE, FON, OCX, SYS, and TTF
When this guardian angel detects that a program has updated (or, in somecases, backdated!) one of these files, it tries to automatically restore the original
version of the file, typically from the hip pocket folder%systemroot%\SYSTEM32\DLLCACHE.
If the file is not in DLLCACHE or in the driver archive%systemroot%\Driver Cache\I386\DRIVER.CAB, then theguardian angel pops up awindow asking you to supply the originalinstallation media.
16
8/7/2019 Windows Security Architecture
17/28
Command-Line Utilities
User may run into occasions when he would like to perform asignature scan yourself. Two utilities are available for thispurpose: SIGVERIF and SFC .
The SIGVERIF.EXE command-line utility, a.k.a. SignatureVerification Tool, scans protected system files and verifiestheir digital signatures.
The program creates the log file SIGVERIF.
TXT
to provide arecord of the scan.
Microsoft also provides a command-line program calledSFC.EXE, for System File Checker. SFC to scan system filesfor digital signatures.
17
8/7/2019 Windows Security Architecture
18/28
Encrypting File System (EFS)
EFS is a public key encryption method, meaning that a public keyis used to encrypt a file and a private key is used to decrypt it.
Encrypt a folder by right-clicking it in Windows Explorer, choosingProperties, clicking the Advanced button, and checking the EncryptContents to Secure Data box.
After you encrypt a folder, you can only have access to that folder
and its contents when you log on with the same user account andpassword that you used when you encrypted the folder originally.
A user may forget an account password and have created encryptedfiles under that account. If that happens, the recovery agent has a
private key that will unlock an encrypted file.
18
8/7/2019 Windows Security Architecture
19/28
Security for Transmitted Data
IPSec for secure authentication, confidentiality
Key features: IPSec operates at Layer 3 IPSec works between workstations, between
workstations and servers, and between servers. IPSec in Windows 2003/2000/XP permits configuration
through Group Policy and Active Directory utilities. Users do not have to be in the same domain to use IPSec Simple routers do not need any special configuration to
work with IPSec.
19
8/7/2019 Windows Security Architecture
20/28
Security for Transmitted Data
Packet filtering is a technique for restricting traffic
or activating a security policy depending on apackets source address, destination address,and/or traffic type.
20
8/7/2019 Windows Security Architecture
21/28
Security for Transmitted Data
Wired Equivalent Privacy, known as WEP, arises
from the IEEE standards for wireless networks( 8 0 2 . 11b) and encrypts the data flow betweenthe wireless client and access point.
21
8/7/2019 Windows Security Architecture
22/28
Local and Group Policy
Policies are really more of a mechanism forimplementing and controlling the various other
types of Windows 2003/2000/XP security than a newtype of security themselves.
Hierarchical Structure :In Active Directory, anenterprise network has different levels, as follows:
Forests Sites Trees Domains Organizational Units
22
8/7/2019 Windows Security Architecture
23/28
Local and Group Policy
Local Security Policy and Domain Security PolicyWindows provides the Local Security Policy console in
the AdministrativeT
ools folder of a workstationmachine, and the Domain Security Policy console in theAdministrative Tools folder of a server, to enable you towork only with security-related policies.
Local Security Policy console is simply a subset of the
entire set of policies, open GPEDIT.MSC via the Start >Run dialog box, and navigate to\Local Computer Policy\ComputerConfiguration\Windows Settings\SecuritySettings. Now, open the Local Security Policy console
via AdministrativeT
ools > Local Security Policy
23
8/7/2019 Windows Security Architecture
24/28
Local and Group Policy
SecurityTemplates : The company has provided
a way to set a whole bunch of policies in one fellswoop and a whole bunch of file system andRegistry access permissions, too.
Security templates preconfigured for you by
Microsoft have the suffix INF and live in%systemroot%\security\templates.
e.g. BASICDC, BASICSV, BASICWK,HISECDC,HISECWK,SECUREDC etc.
24
8/7/2019 Windows Security Architecture
25/28
Local and Group Policy
Security Configuration and Analysis It lets you compare a machines present setup
against a specific security template. apply a template to a local PC, or to a Group Policy
object such as a domain or organizational unit.
Steps:
Duild the console Run MMC.EXE Add the security Configuration and Analysis snap-
n.
25
8/7/2019 Windows Security Architecture
26/28
Auditing
Auditing is keeping track of events that may reflect onsystem security. (COMPMGMT.MSC)
Activate Logon Auditing : Windows can monitor logons, both
successful and unsuccessful, and record them in theSecurity event log.
Object Auditing : Windows 2000 can also monitorsuccessful and unsuccessful accesses to objects namely files, folders, the Registry, and printers and record those accesses into the Security eventlog.
26
8/7/2019 Windows Security Architecture
27/28
References
http://hakindia007.blogspot.com/2009/11/win
dows-security-architecture.html http://images.globalknowledge.com/wwwimages/whitepaperpdf/WindowsSecurity.pdf
27
8/7/2019 Windows Security Architecture
28/28
Thank You !
28
top related